P
US9569616B2ActiveUtilityPatentIndex 72

Gate-level masking

Assignee: CRYPTOGRAPHY RES INCPriority: Dec 12, 2013Filed: Dec 10, 2014Granted: Feb 14, 2017
Est. expiryDec 12, 2033(~7.4 yrs left)· nominal 20-yr term from priority
Inventors:LEISERSON ANDREW JOHNMARSON MARK EVANWACHS MEGAN ANNEKE
H04L 2209/12H04L 2209/04H04L 2209/16H04L 9/003G06F 21/755G06F 21/72G06F 21/71G06F 21/558
72
PatentIndex Score
2
Cited by
31
References
18
Claims

Abstract

A method of and system for gate-level masking of secret data during a cryptographic process is described. A mask share is determined, wherein a first portion of the mask share includes a first number of zero-values and a second number of one-values, and a second portion of the mask share includes the first number of one-values and the second number of zero-values. Masked data values and the first portion of the mask share are input into a first portion of masked gate logic, and the masked data values and the second portion of the mask share are input into a second portion of the masked gate logic. A first output from the first portion of the masked gate logic and a second output from the second portion of the masked gate logic are identified, wherein either the first output or the second output is a zero-value.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method of gate-level masking of secret data during a cryptographic process comprising:
 determining a mask share, wherein a first portion of the mask share comprises a first number of zero-values and a second number of one-values, and a second portion of the mask share comprises the first number of one-values and the second number of zero-values; 
 inputting masked data values and the first portion of the mask share into a first portion of masked gate logic, and inputting the masked data values and the second portion of the mask share into a second portion of the masked gate logic; and 
 identifying a first output from the first portion of the masked gate logic and a second output from the second portion of the masked gate logic, wherein either the first output or the second output is a zero-value, wherein values t 2     n    to t 2     n+1     −1  of the mask share are computed as t i+2     n   =ƒ(i⊕m)⊕m q , wherein m is an n-bit input mask and m g  is a 1-bit output mask, and wherein values t 0  to t 2     n     −1  are a complement of the values t 2     n    to t 2     n+1     −1 . 
 
     
     
       2. The method of  claim 1  further comprising determining a final output based on the first output and the second output. 
     
     
       3. The method of  claim 2 , wherein the final output is independent of the secret data. 
     
     
       4. The method of  claim 2 , wherein the determining the mask share is temporally separated from the determining the final output. 
     
     
       5. The method of  claim 1  further comprising routing the first output and the second output to one or more other gates. 
     
     
       6. The method of  claim 1  further comprising precharging the masked gate logic with all zero-input. 
     
     
       7. The method of  claim 6 , wherein the precharging occurs prior to inputting the masked data values, the first portion of the mask share, and the second portion of the mask share. 
     
     
       8. The method of  claim 7 , wherein the first portion of the logic gate comprises a first four AND gates and a first OR gate, the first OR gate receiving outputs of the first four AND gates, and wherein the second portion of the logic gate comprises a second four AND gates and a second OR gate, the second OR gate receiving outputs of the second four AND gates. 
     
     
       9. The method of  claim 8 , wherein the output of only one of the first four AND gates and the second four AND gates rises, and wherein the output of the OR gate receiving the output of the AND gate that rises also rises. 
     
     
       10. The method of  claim 1 , wherein m has an all-zero value or an all-one value, and wherein m g  has the same value as the bits of m. 
     
     
       11. The method of  claim 1 , wherein the mask share is stored in a first-in-first-out (FIFO) buffer for one or more clock cycles prior to inputting the masked data values and the first portion of the mask share into the first portion of masked gate logic, and inputting the masked data values and the second portion of the mask share into the second portion of the masked gate logic. 
     
     
       12. The method of  claim 1 , wherein the masked data values comprise a first masked data value, a complement of the first masked data value, a second masked data value, and a complement of the second masked data value. 
     
     
       13. A system for gate-level masking of secret data during a cryptographic process, the system comprising:
 a mask generator circuit that determines a mask share, wherein a first portion of the mask share comprises a first number of zero-values and a second number of one-values, and a second portion of the mask share comprises the first number of one-values and the second number of zero-values; and 
 masked gate logic circuit coupled to the mask generator circuit, the masked gate logic circuit comprising a first portion and a second portion, wherein the first portion of the masked gate logic circuit receives masked data values and the first portion of the mask share, and provides a first output, and wherein the second portion of the masked gate logic circuit receives the masked data values and the second portion of the mask share, and provides a second output, wherein values t 2     n    to t 2     n+1     −1  of the mask share are computed as t i+2     n   =ƒ(i⊕m)⊕m q  wherein m is an n-bit input mask and m q  is a 1-bit output mask, and wherein values t 0  to t 2     n     −1  are a complement of the values t 2     n    to t 2     n+1     −1 . 
 
     
     
       14. The system of  claim 13 , wherein a final output is determined based on the first output and the second output, and wherein the final output is independent of the secret data. 
     
     
       15. The system of  claim 13 , wherein the first output and the second output are routed to one or more other gates. 
     
     
       16. The system of  claim 13 , wherein the first portion of the masked gate logic circuit comprises a first four AND gates and a first OR gate, the first OR gate receiving outputs of the first four AND gates, and wherein the second portion of the masked gate logic circuit comprises a second four AND gates and a second OR gate, the second OR gate receiving outputs of the second four AND gates. 
     
     
       17. The system of  claim 16 , wherein the output of exactly one of the first four AND gates and the second four AND gates rises, and wherein the output of the OR gate receiving the output of the AND gate that rises also rises. 
     
     
       18. The system of  claim 13 , wherein the mask share is stored in a first-in-first-out (FIFO) buffer for one or more clock cycles prior to the first portion of the masked gate logic circuit receiving the masked data values and the first portion of the mask share, and the second portion of the masked gate logic circuit receiving the masked data values and the second portion of the mask share.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.